Implement access control

You must implement access control to provide your Marketing Manager the authority to manage your new folders in the Marketing tool. To implement the access control, you must create the access control policy for the folder service on the Marketing Manager role.

Attention: This tutorial is based on the folder support that is included in Feature Pack 5 and is not recommended if you are on a newer feature pack level. Beginning with Feature Pack 6, support is provided by default for grouping e-Marketing Spots, activities, customer segments, marketing content, promotions, and attribute dictionary attributes. This support includes the capability of creating, changing, and deleting folders within the Management Center Catalogs, Marketing, and Promotions tools. You are not able to group folders created by following this tutorial with folders that are created by using Management Center. If you create Management Center folders by following the steps included in this tutorial, delete those folders before you create folders by using Management Center. For more information about folders, see Folders.

Feature Pack 7 or later Support is provided by default for grouping content pages and layouts in the Commerce Composer tool. This support includes creating, changing, and deleting folders with the Commerce Composer tool.

About this task

Access control policies are enabled to limit users from accessing the folder services for a particular noun or group of nouns. By default, a Marketing Manager has only the authority to manage folders in the promotions tool. To provide a Marketing Manager with the authority to perform actions on folders, you must define new actions, action groups, resource groups, and policies. For more information about access control, actions, and action groups, see access control policy.

For more information about implementing access control, see access control in the BOD command framework.

Before you implement access control, use the Marketing Manager role that you created and browse in the Marketing tool for your Aurora starter store. If you browse the E-Marketing Spot folders, you cannot view the folder details. If you attempt to view the folder details, the following message is outputted in the console panel:

[5/1/12 14:22:35:418 EDT] 000001ce CommerceSrvr  E AccManager isAllowed CMN1501E: User 502 does not have the authority to perform action "Display" on resource "com.ibm.commerce.infrastructure.facade.server.authorization.FolderTypeProtectableProxy" for command "Display".

When you implement the access control, your Marketing Manager role can view the folder details and manage the folder contents.

To implement access control, complete the following steps:

Procedure

Navigate to the directory WCDE_installdir\xml\policies\xml.
Create a file named ProjectAccessControlPolicies.xml
Open the ProjectAccessControlPolicies.xml for editing.

Define the new action group for folders. Add the following code to the file. The action group that is defined in this code contains all the access profiles the group can use

<!-- To define the  action group -->
	<ActionGroup Name="Project-Folders-MarketingManagers-AccessProfileActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="GetFolder.IBM_Admin_Details"/>
		<ActionGroupAction Name="GetFolder.IBM_Admin_ChildFolderItems"/>
	</ActionGroup>

<!-- Project-Folders-ProjectManagers action group process action -->
	<ActionGroup Name="Project-Folders-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="DisplayResourceAction"/>
		<ActionGroupAction Name="CreateResourceAction"/>
		<ActionGroupAction Name="DeleteResourceAction"/>
		<ActionGroupAction Name="ChangeResourceAction"/>
	</ActionGroup>
<!-- Project-Folders-ProjectToolViewers action group process action -->
	<ActionGroup Name="Project-Folders-MarketingToolViewers-ActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="DisplayResourceAction"/>
	</ActionGroup>

Define a new resource group definition to provide the flexibility to protect resources of a particular state. If you want a policy for users that provides access to the folders of a particular object type, you must define a new resource group. The resource group limits the specified actions to the EMarketingSpotFolder object types. Add the following code to the ProjectAccessControlPolicies.xml file.

<!-- To define the new resource group for the emarketingSpots folder -->
	<ResourceGroup Name="EMarketingSpots-Folders-ResourceGroup" OwnerID="RootOrganization">
	<ResourceCondition>
		<![CDATA[
			<profile>
				<andListCondition>
					<simpleCondition>
						<variable name="FolderType"/>
						<operator name="="/>
						<value data="EMarketingSpotFolder"/>
					</simpleCondition>
					<simpleCondition>
						<variable name="classname"/>
						<operator name="="/>
						<value data="com.ibm.commerce.infrastructure.facade.server.authorization.FolderTypeProtectableProxy"/>
					</simpleCondition>
				</andListCondition>
			</profile>
		]]>
	</ResourceCondition>
	</ResourceGroup>

Define the new policy with the action group. Add the following code to the ProjectAccessControlPolicies.xml file.

<Policy Name="Project-Folder-MarketingToolViewers-Policy"
		OwnerID="RootOrganization"
		UserGroup="AllUsers"
		ActionGroupName="Project-Folders-MarketingToolViewers-ActionGroup"
		ResourceGroupName="EMarketingSpots-Folders-ResourceGroup"
		PolicyType="groupableStandard" />

	<!-- To define the new Project-Folders-ProjectManagers access profile access policy -->

	<Policy Name="Project-Folders-ProjectManagers-AccessProfilePolicy"
		OwnerID="RootOrganization"
		UserGroup="CampaignManagersForOrg"
		ActionGroupName="Project-Folders-MarketingManagers-AccessProfileActionGroup"
		ResourceGroupName="AccessProfileResourceGroup"
		PolicyType="groupableTemplate" />
 
	<!-- The Project-Folders-ProjectManagers policy -->

	<Policy Name="Project-Folders-ProjectManagers-Policy"
		OwnerID="RootOrganization"
		UserGroup="CampaignManagersForOrg"
		ActionGroupName="Project-Folders-ProjectManagers-ActionGroup"
		ResourceGroupName="EMarketingSpots-Folders-ResourceGroup"
		PolicyType="groupableTemplate" />

	<!--  defining policy groups -->
		<PolicyGroup Name="ManagementAndAdministrationPolicyGroup" OwnerID="RootOrganization">
			<PolicyGroupPolicy Name="Project-Folders-ProjectManagers-AccessProfilePolicy" PolicyOwnerID="RootOrganization"/>
			<PolicyGroupPolicy Name="Project-Folder-MarketingToolViewers-Policy" PolicyOwnerID="RootOrganization"/>
			<PolicyGroupPolicy Name="Project-Folders-ProjectManagers-Policy" PolicyOwnerID="RootOrganization"/>
		</PolicyGroup>

Save your changes. Ensure that your updated access profile xml file resembles the following sample file:

<?xml version="1.0" encoding="ISO-8859-1" standalone="no" ?>
 
<!DOCTYPE Policies SYSTEM "../dtd/accesscontrolpolicies.dtd">
 
<Policies>

	<Attribute Name="FolderType" Type="String">
	</Attribute>

	<Action Name="GetFolder.IBM_Admin_Details" CommandName="GetFolder.IBM_Admin_Details"/>
	<Action Name="GetFolder.IBM_Admin_ChildFolderItems" CommandName="GetFolder.IBM_Admin_ChildFolderItems"/>

	<Action
		Name="DisplayResourceAction"
		CommandName="Display"
	/>

	<Action
		Name="CreateResourceAction"
		CommandName="Create"
	/>

	<Action
		Name="DeleteResourceAction"
		CommandName="Delete"
	/>

	<Action
		Name="ChangeResourceAction"
		CommandName="Change"
	/>

<!-- To define the  action group -->
	<ActionGroup Name="Project-Folders-MarketingManagers-AccessProfileActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="GetFolder.IBM_Admin_Details"/>
		<ActionGroupAction Name="GetFolder.IBM_Admin_ChildFolderItems"/>
	</ActionGroup>

<!-- Project-Folders-ProjectManagers action group process action -->
	<ActionGroup Name="Project-Folders-ProjectManagers-ActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="DisplayResourceAction"/>
		<ActionGroupAction Name="CreateResourceAction"/>
		<ActionGroupAction Name="DeleteResourceAction"/>
		<ActionGroupAction Name="ChangeResourceAction"/>
	</ActionGroup>

<!-- Project-Folders-ProjectToolViewers action group process action -->
	<ActionGroup Name="Project-Folders-MarketingToolViewers-ActionGroup" OwnerID="RootOrganization">
		<ActionGroupAction Name="DisplayResourceAction"/>
	</ActionGroup>

<!-- To define the new resource group for the emarketingSpots folder -->
	<ResourceGroup Name="EMarketingSpots-Folders-ResourceGroup"  OwnerID="RootOrganization">
		<ResourceCondition>
			<![CDATA[
				<profile>
					<andListCondition>
						<simpleCondition>
							<variable name="FolderType"/>
							<operator name="="/>
							<value data="EMarketingSpotFolder"/>
						</simpleCondition>
						<simpleCondition>
							<variable name="classname"/>
							<operator name="="/>
							<value data="com.ibm.commerce.infrastructure.facade.server.authorization.FolderTypeProtectableProxy"/>
						</simpleCondition>
					</andListCondition>
				</profile>
			]]>
		</ResourceCondition>
	</ResourceGroup>

	<Policy Name="Project-Folder-MarketingToolViewers-Policy"
		OwnerID="RootOrganization"
		UserGroup="AllUsers"
		ActionGroupName="Project-Folders-MarketingToolViewers-ActionGroup"
		ResourceGroupName="EMarketingSpots-Folders-ResourceGroup"
		PolicyType="groupableStandard" />

<!-- To define the new Project-Folders-ProjectManagers access profile access policy -->
	<Policy Name="Project-Folders-ProjectManagers-AccessProfilePolicy"
		OwnerID="RootOrganization"
		UserGroup="CampaignManagersForOrg"
		ActionGroupName="Project-Folders-MarketingManagers-AccessProfileActionGroup"
		ResourceGroupName="AccessProfileResourceGroup"
		PolicyType="groupableTemplate" />
 
<!-- The Project-Folders-ProjectManagers policy -->
	<Policy Name="Project-Folders-ProjectManagers-Policy"
		OwnerID="RootOrganization"
		UserGroup="CampaignManagersForOrg"
		ActionGroupName="Project-Folders-ProjectManagers-ActionGroup"
		ResourceGroupName="EMarketingSpots-Folders-ResourceGroup"
		PolicyType="groupableTemplate" />

<!--  defining policy groups -->
	<PolicyGroup Name="ManagementAndAdministrationPolicyGroup" OwnerID="RootOrganization">
		<PolicyGroupPolicy Name="Project-Folders-ProjectManagers-AccessProfilePolicy" PolicyOwnerID="RootOrganization"/>
		<PolicyGroupPolicy Name="Project-Folder-MarketingToolViewers-Policy" PolicyOwnerID="RootOrganization"/>
		<PolicyGroupPolicy Name="Project-Folders-ProjectManagers-Policy" PolicyOwnerID="RootOrganization"/>
	</PolicyGroup>
 
</Policies>

Stop the WebSphere Commerce test server.
Run the acpload utility to load the access control policy.
1. From a command prompt, go to the WCDE_installdir\bin directory.
2. Run the command for the acpload utility:
```
acpload ProjectAccessControlPolicies.xml
```
  For more information about running this utility, see acpload utility

Implement access control

About this task

Procedure

Results